[Snort-sigs] RE: Trying to capture web traffic

Paul Schmehl pauls at ...1311...
Tue Feb 17 11:50:01 EST 2004


--On Tuesday, February 17, 2004 10:28 AM -0800 whipsmack 
<whipsmack0 at ...144...> wrote:
>
># The rule should be:
> log tcp rooted_host 80 -> any any (content: "HTTP/1.1"; nocase; flags:PA;
> msg: "blah, blah"; etc.)
>
OK.

> However, this will not work though either, since I HAVE to have a
> catch-all log statement at the end since we just don't know what the
> trigger for the backdoor shell is, I only suspect it's over web:
> log tcp any any <> 10.1.1.50 any
> log udp any any <> 10.1.1.50 any
> log icmp any any <> 10.1.1.50 any

For the catchall rule, you really would need only one, like this:
log ip any any <> 10.1.1.50 any

IP includes tcp, udp and icmp.
>
> So, because of my catch-all's I end up logging everything.  What I want
> first is to log all data sent to the server to port 80 (which I've
> already got that down)
># This should capture almost all GETs, POSTs and HEADs, etc
> log tcp any any -> 10.1.1.50 80 (flags: PA;)
> log tcp any any -> 10.1.1.50 80 (flags: SP;)
># This should capture any data sent, odd but allowed per RFC
> log tcp any any -> 10.1.1.50 80 (flags: S; dsize: >1;)
> log tcp any any -> 10.1.1.50 90 (flags: A: dsize: >1;)

If you want all data to port 80, you really don't need all this 
specificity.  Just use:
log tcp any any -> 10.1.1.50 80 (msg: "port 80 traffic"; blah, blah)
>
>
> Second, I want to log *only* the PA's from the server with HTTP status
> codes, nothing else... no other PA's with just continuation packets, not
> other flags like RESET, or FINs, or FA, or FAP, or etc, etc, etc.....I
> have everything working except the dang PA thing.  I just want some way
> to log PA from the server with HTTP status codes but somehow pass all
> other PA's from the server.
> Thanks

Run two instances of snort.  One instance should alert on the port 80 PA 
stuff only and log to a directory that you name specifically, 
/var/log/PA_only for example.  Run the second instance to capture all 
traffic to/from that host and name its log directory /var/log/all_pkts (or 
whatever.)

You can do this easily by using by starting snort with the -l "logdir" 
switch.  Perhaps you haven't run snort ? to see what switches are available 
to you?

So, you'd have two instances of snort, starting something like this:
snort1 -l /var/log/PA_only -d -u root -g snort -c /usr/local/etc/snort1.conf
snort2 -l /var/log/all -d -u root -g snort -c /usr/local/etc/snort2.conf

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list